When DNA stands for "deceptive, not authenticated"

Back in the day, consumers looking for a personalized product had to settle for a monogrammed hanky. GeneLink, Inc. and foru International Corporation claimed to take personalization to a new level by testing each buyer’s DNA and formulating products to address that person’s genetic weaknesses. But according to the FTC, the companies didn’t have sound science to support their claims. The complaint also charges that they didn’t use reasonable procedures to protect the security of customers’ personal information. If you or your clients make health claims – or if you collect or maintain sensitive consumer data – the case offers takeaway tips custom-designed for your company.

GeneLink and foru (formerly known as GeneWize Life Sciences) marketed products primarily through a multilevel system of affiliates. Affiliates sent prospective customers a free at-home test kit, including a cheek swab. Once the consumer mailed back the swab, a lab evaluated the sample for genetic variations called single nucleotide polymorphisms – SNPs. According to promotional materials, each SNP “predicts biochemical processes that are associated with significant physiological disadvantages, . . . the negative potential [of which] has been scientifically proven to be modulated by nutritional supplementation.” GeneLink and GeneWize offered dietary supplements and a skin serum purportedly customized to each person’s genetic profile and scientifically proven to compensate for genetic disadvantages identified in the assessment.

According to ads and other promotional materials, the supplements could treat serious conditions like diabetes, heart disease, arthritis, and insomnia. Claims for the skin serum cited a “double blind, randomized and controlled study” and promised the product would “compensate for particular deficiencies in areas of skin aging, wrinkling, collagen breakdown, irritation, and the skin’s ability to defend against environmental stress.”

The FTC’s complaint charges that the companies didn’t have sound science to support that the supplements could compensate for genetic disadvantages identified in the DNA test and reduce that person’s risk of illness. Those promises about diabetes, heart disease, arthritis, and insomnia? Unproven, alleged the FTC. The complaint also challenges the companies’ claim that the skin serum was scientifically proven.

Under the proposed settlements with GeneLink and foru, the companies can’t claim that a drug, food, or cosmetic will treat, prevent, or reduce the risk of any disease (including diabetes, heart disease, arthritis, or insomnia) by modulating the effect of genes or based on a person’s customized genetic assessment unless the claim is true and supported by at least two adequate and well-controlled studies. The orders also require that claims that a product treats or prevents a disease in people with a particular genetic variation must be supported by randomized clinical trials conducted on people who have that variation.

In addition, the companies are prohibited from making other claims about the health benefits, performance, or efficacy of any drug, food, or cosmetic by modulating the effect of genes or based on a person’s customized genetic assessment unless the claim is supported by competent and reliable scientific evidence. The proposed orders also prohibit the companies from misrepresenting scientific research about any drug, food, or cosmetic, or any genetic test or assessment. The orders include a safe harbor for advertising claims that have been approved by the FDA.

What about affiliates? Under the proposed orders, GeneLink and foru are prohibited from providing their affiliates or anyone else with the means to make the prohibited health claims. The proposed settlements also require the companies to monitor claims that affiliates make on their behalf.

But wait: There’s more. The complaint also addresses alleged lapses in the companies’ practices that, taken together, failed to provide reasonable and appropriate security for consumers’ personal information. Check the complaint for the specifics, but here are just a few things the FTC says the companies did – and didn’t do: They stored sensitive information in plain text. They didn’t use readily available measured to limit access to wireless networks. They allowed employees and service providers to access sensitive data without a legitimate business need. And they let service providers use real consumer data – not fake info – in the process of developing new software applications.

One example of the practical effect of those alleged lapses: a vulnerability that let an affiliate access the personal information of everyone in the companies’ customer database. The proposed order includes provisions to change how GeneLink and foru approach data security in the future, including every-other-year independent assessments of their security programs for the next 20 years.

The FTC welcomes comments about the proposed orders by the February 6, 2014, deadline. In the meantime, how can your company apply the lessons of this law enforcement action?

Compliance = Reliance on Science. If you make health-related representations, the law requires you to have sound science to support what you say. Once you make claims about disease prevention or the treatment or cure of serious medical conditions, you’ve upped the substantiation ante.

Truth serum. We hear it a lot: “It’s a cosmetic. We don’t need scientific substantiation.” That may be true if you’re touting a smoky eye or kissable lip. But once advertisers make objective claims – even for products that are topically applied – you’re under an obligation to honor truth-in-advertising standards.

Ways and means. Even though consumers bought the products from affiliates, the FTC alleged that GeneLink and foru were liable for the misrepresentations. How so? According to the complaint, GeneLink and foru created the ads and promotional materials and passed them on to affiliates. It’s not uncommon for FTC complaints to charge that a company provided others with the “means and instrumentalities” to commit deceptive acts. That makes legal compliance a priority regardless of where you are on the distribution chain.

Clean bill of health? If you collect or maintain sensitive data – health-related information, Social Security numbers, dates of birth, etc. – it’s important to build reasonable security into your day-to-day practices. Customers count on you to keep it confidential.

“Someone to watch over me.” George Gershwin wasn’t waxing melodic about a company’s relationship to its service providers, but he could have. Make your security standards clear, build compliance into your contracts, and monitor your service providers to see that they’re protecting the information entrusted to you.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.